Cybersecurity Testing and Analysis for Web Applications
-
Upload
cole-moody -
Category
Documents
-
view
44 -
download
1
description
Transcript of Cybersecurity Testing and Analysis for Web Applications
Cybersecurity Testing and Analysis for Web Applications
William GJ Halfond
Center for Systems and Software Engineering
University of Southern California
Research Area
Software Engineering Quality Assurance• Security• Testing• Analysis
2
Importance of Web Applications
3
Yahoo’s projected revenue in 2008 = $7.2 billion.Bank of America services over 23 million visitors a month.Facebook has over 120 million active users.
Problems in Web Applications
Amazon.com: 60sec = $30,000
4
Average data breach: $6.6 millionDowntime cost = $3.6 millionReported software vulnerabilities
Current Approaches
1. Web crawlers and scanners
2. Scenario-based testing
5
Web Crawlers
6
Problems with Web Crawling
7
Scenario-Based Testing
General Process:
1. Define use cases
2. Check each use case
8
+ Realistic – Incomplete
– Tests known behaviors
Research Overview
9
Goal Improve quality of web applications1. Develop new techniques2. Adaptation of existing techniques
Method Develop and apply program analysis techniques to web applications in order to analyze and understand their structure and runtime behavior.
Benefits • Accurate and complete• Automatable
Key Differences
10
Observation:Many software quality assurance techniques are not directly applicable to web applications.
Complications: • Interface definitions• Control flow• Generated object programs• Data flow
Problem: Traditional abstractions look very different in web applications.
Developed Techniques
1. Accepted Interface Analysis Improve test coverage Discover vulnerabilities
2. Component Output Identification Static verification of correctness
3. Control-Flow Analysis Verify runtime behaviors
11
1) Parameter names
Traditional Interface
12
public void write(File outfile, String buffer, int length)
3) Domain information
2) Grouping of parameters
Web Application Interfaces
13
1. Parameter names2. Grouping of
parameters3. Domain information
void service( Request req ) 1. String dbQuery = "select * from db where " 2. String search = req.getParameter( "search" ) 3. String dbQuery += "name like '" + search + "' and " 4. String searchType = req.getParameter( "sPref" ) 5. if (searchType.equals( "zip" )) 6. int zip = Integer.parseInt(req.getParameter( “zip” ) 7. dbQuery+= "zip=" + zip 8. else if (searchType.equals( "type" )) 9. String type = req.getParameter( "business" ) 10. dbQuery+= "type=" +type 11. else 12. String state = req.getParameter( "state" ) 13. dbQuery+= "state=" +state 14. ResultSet results = execute(dbQuery) 15. print(results)
Interface Information
Interface NameDomain-
TypeConstraints
1
search String -
sPref String sPref=“zip”
zip Integer -
2
search String -
sPref String sPref ≠“zip” sPref = “type”
business String -
3
search String -
sPref String sPref ≠“zip” sPref ≠ “type”
state String -
14
Testing Improvements
15
% Stmt.Coverage
% BranchCoverage
# CommandForms
Branch coverage increase: 48%
Statement coverage increase: 30%
Command form increase: 94%
WAMDF Spider
Penetration Testing
16
DB
Other
Systems
White Hat
Tester
!@#$
Secret Data!
Web Application
HTML
Servlets
Penetration Testing Results
17
WAMDF Spider
# SQLInjection
Vulns.
# XSSVulns.
Vulnerability detection increase: 365%
Vulnerability detection increase: 282%
Traditional Invocation Verification
18
public void write(File outfile, String buffer, int length)
write(file, string, int)
write(file, string, string)
Web Application Invocations
19
Analysis to Identify
Invocations
Component Output Analysis
20
InterfaceInvocations
Web Application
HTML
ServletsServlet
Invocation Verification
21
Web Application
searchpage.jsp dosearch.jsp
X
Verification Results
22
High-level Analysis
23
Web Application
login.jsp
memberInfo.jsp
shoppingCart.jsp
AttackerEnd Users
Areas of Future Work in Analysis
24
• Protocol Analysis
• Object Program Semantics
Control Flow
Data FlowObject Programs
Def
UseUseUse
D
UUU
D
UUU
Servlet
JavaScript
SQL
HTML
Summary
• Research focused on quality assurance for web applications
• Promising results in basic areas
• Future work in higher-level analysis
25